Merge pull request from GHSA-mw2w-2hj2-fg8q

marcovtwout · web-flow · commit 37142be4dc58 · 2023-11-14T10:18:46.000+01:00
Advisory fix
diff --git a/CHANGELOG b/CHANGELOG
@@ -7,6 +7,7 @@ Version 1.1.29 under development
 - Bug #4516: PHP 8 compatibility: Allow union types and intersection types in action declarations (wtommyw)
 - Bug #4523: Fixed translated in Greek class messages in framework requirements view, which they should not be translated (lourdas)
 - Bug #4534: PHP 8.2 compatibility: Fix deprecated dynamic properties in gii/components/Pear/Text/Diff (mdeweerd, marcovtwout)
+- Bug: CVE-2023-47130. Prevent RCE when deserializing untrusted user input (ma4ter222, marcovtwout)
 - Enh #4529: Exceptions thrown while loading fixture file rows now contain more details (eduardor2k)
 - Enh #4533: Various refactorings applied based on PHAN checks (marcovtwout)
 
diff --git a/framework/db/schema/CDbCriteria.php b/framework/db/schema/CDbCriteria.php
@@ -197,10 +197,17 @@ public function __wakeup()
 			foreach($sqlContentFieldNames as $field)
 			{
 				if(is_array($this->$field))
+				{
 					foreach($this->$field as $k=>$v)
-						$this->{$field}[$k]=strtr($v,$map);
-				else
+					{
+						if (is_scalar($v))
+							$this->{$field}[$k]=strtr($v,$map);
+					}
+				}
+				elseif(is_scalar($this->$field))
+				{
 					$this->$field=strtr($this->$field,$map);
+				}
 			}
 		}
 		$this->params=$params;
